Total CVEs
2718
last 14 days
Avg Priority
33.0
of max 220
KEV
3
actively exploited
POC
356
public exploits
Unpatched
705
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 32 |
CVE-2026-33708
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info
|
| 32 |
CVE-2026-39943
Directus is a real-time API and App dashboard for managing SQL database content.
|
| 32 |
CVE-2026-35173
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR /
|
| 32 |
CVE-2026-33736
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authentica
|
| 32 |
CVE-2026-35441
### Summary
Directus' GraphQL endpoints (`/graphql` and `/graphql/system`) did
|
| 32 |
CVE-2026-34756
### Summary
A Denial of Service vulnerability exists in the vLLM OpenAI-compatib
|
| 32 |
CVE-2026-35403
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web app
|
| 32 |
CVE-2026-34897
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 32 |
CVE-2026-1101
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 bef
|
| 32 |
CVE-2026-40148
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall(
|
| 32 |
CVE-2026-35599
## Summary
The `addRepeatIntervalToTime` function uses an O(n) loop that advanc
|
| 32 |
CVE-2026-34755
## Summary
The `VideoMediaIO.load_base64()` method at `vllm/multimodal/media/vi
|
| 32 |
CVE-2026-2377
A flaw was found in mirror-registry. Authenticated users can exploit the log exp
|
| 32 |
CVE-2026-3618
The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Si
|
| 32 |
CVE-2026-4429
The OSM - OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-5742
The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in
|
| 32 |
CVE-2025-13535
The King Addons for Elementor plugin for WordPress is vulnerable to multiple Con
|
| 32 |
CVE-2026-34716
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 32 |
CVE-2026-4336
The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Si
|
| 32 |
CVE-2026-3142
The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vu
|
| 32 |
CVE-2026-4025
The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-4303
The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-2305
The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cros
|
| 32 |
CVE-2026-5590
A race condition during TCP connection teardown can cause tcp_recv() to operate
|
| 32 |
CVE-2026-4300
The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 32 |
CVE-2026-3600
The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
|
| 32 |
CVE-2026-4073
The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
|
| 32 |
CVE-2026-4341
The Prime Slider - Addons for Elementor plugin for WordPress is vulnerable to St
|
| 32 |
CVE-2026-3513
The TableOn - WordPress Posts Table Filterable plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-4333
The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to Stor
|
| 32 |
CVE-2026-4895
The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulne
|
| 32 |
CVE-2026-4785
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for W
|
| 32 |
CVE-2026-5357
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2026-1263
The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in
|
| 32 |
CVE-2026-4655
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stor
|
| 32 |
CVE-2026-1834
The Ibtana - WordPress Website Builder plugin for WordPress is vulnerable to Sto
|
| 32 |
CVE-2026-5506
The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t
|
| 32 |
CVE-2026-1396
The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to S
|
| 32 |
CVE-2026-3498
The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 32 |
CVE-2026-2480
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-0626
The WPFunnels - Easy Funnel Builder To Optimize Buyer Journeys And Get More Lead
|
| 32 |
CVE-2026-5508
The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
|
| 32 |
CVE-2026-2924
The Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for Wor
|
| 32 |
CVE-2026-2949
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-4871
The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Si
|
| 32 |
CVE-2026-3239
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-3311
The The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widget
|
| 32 |
CVE-2026-2481
The Beaver Builder Page Builder - Drag and Drop Website Builder plugin for WordP
|
| 32 |
CVE-2026-2437
The WP Travel Engine - Tour Booking Plugin - Tour Operator Software plugin for W
|
| 32 |
CVE-2026-5372
An issue that allowed a SQL injection attack vector related to saved queries (in
|
| 32 |
CVE-2026-0688
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery
|
| 32 |
CVE-2026-35507
Shynet before 0.14.0 allows Host header injection in the password reset flow.
|
| 32 |
CVE-2026-25601
A vulnerability was identified in MEPIS RM, an industrial
software product devel
|
| 32 |
CVE-2026-33727
Pi-hole is a Linux network-level advertisement and Internet tracker blocking app
|
| 32 |
CVE-2026-0738
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-0737
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerabl
|
| 32 |
CVE-2025-15064
The Ultimate Member - User Profile, Registration, Login, Member Directory, Conte
|
| 32 |
CVE-2025-13368
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-2600
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-0552
The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-4379
The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-2988
The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 32 |
CVE-2025-14732
The Elementor Website Builder - More Than Just a Page Builder plugin for WordPre
|
| 32 |
CVE-2026-0664
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cros
|
| 32 |
CVE-2026-2509
The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-S
|
| 32 |
CVE-2025-57851
A container privilege escalation flaw was found in certain Multicluster Engine f
|
| 32 |
CVE-2026-3005
The List category posts plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-40226
In nspawn in systemd 233 through 259 before 260, an escape-to-host action can oc
|
| 32 |
CVE-2026-5711
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-5451
The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cros
|
| 32 |
CVE-2025-57853
A container privilege escalation flaw was found in certain Web Terminal images.
|
| 32 |
CVE-2025-57854
A container privilege escalation flaw was found in certain OpenShift Update Serv
|
| 32 |
CVE-2025-57847
A container privilege escalation flaw was found in certain Ansible Automation Pl
|
| 32 |
CVE-2025-57175
Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a
|
| 32 |
CVE-2026-40225
In udev in systemd before 260, local root execution can occur via malicious hard
|
| 32 |
CVE-2025-58713
A container privilege escalation flaw was found in certain Red Hat Process Autom
|
| 32 |
CVE-2026-34525
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 32 |
CVE-2026-25118
immich is a high performance self-hosted photo and video management solution. Pr
|
| 32 |
CVE-2026-39859
`liquidjs` 10.25.0 documents `root` as constraining filenames passed to `renderF
|
| 32 |
CVE-2026-35605
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 32 |
CVE-2026-33580
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the
|
| 32 |
CVE-2026-28810
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP ker
|
| 32 |
CVE-2026-39841
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 32 |
CVE-2026-5123
A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the funct
|
| 32 |
CVE-2026-34508
OpenClaw before 2026.3.12 applies rate limiting only after webhook authenticatio
|
| 32 |
CVE-2026-39837
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 32 |
CVE-2026-29138
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a spec
|
| 32 |
CVE-2026-5360
A vulnerability has been found in Free5GC 4.2.0. The affected element is an unkn
|
| 32 |
CVE-2026-5246
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the f
|
| 32 |
CVE-2026-39839
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |